STEP 1: OVER-PROVISION BANDWIDTH TO ABSORB DDOS BANDWIDTH PEAKS
This is one of the most common and probably most expensive way to alleviate DDoS attacks, especially since DDoS attacks can be ten times or one hundred times greater than standard Internet traffic levels.
Alternatively companies can use a security service to scale on demand to absorb and filter DDoS traffic. DDoS protection services are designed to stop massive DDoS attacks without burdening businesses’ Internet connections.
STEP 2: MONITOR APPLICATION AND NETWORK TRAFFIC
Monitoring application and network traffic is the best way to detect when you are under an attack. That way, you can determine if poor application performance is due to service provider outages or a DDoS attack.
Monitoring traffic also allows organisations to differentiate legitimate traffic from attacks. It is important for security administrators to review traffic levels, application performance, anomalous behaviour, protocol violations, and Web server error codes. Since DDoS attacks are almost always triggered by botnets, application tools used should be able to differentiate between standard user and bot traffic.
Monitoring application and network traffic provide IT security administrators with instant visibility into DDoS attack status.
There are two main methods to identify DDoS attack traffic:
- Identify malicious users.
- Identify malicious requests. For application DDoS traffic, often times identifying malicious users can be the most effective way to mitigate attacks.
Identify known attack sources, such as malicious IP addresses that are actively attacking other sites, and identifying anonymous proxies and TOR networks. Known attack sources account for a large percentage of all DDoS attacks.
Due to the fact that malicious sources constantly change, organisations should have a current list of active attack sources. Recognise known bot agents as DDoS attacks are usually performed by an automated client. Many of these client or bot
agents have unique characteristics that differentiate them from regular Web browser agents. DDos sources can be stopped by tools that recognise bot agents. By conducting validation tests one can determine whether the Web visitor is a human or a bot.
For example, if the visitor’s browser can accept cookies, perform JavaScript calculations or understand HTTP redirects, then it is most likely a real browser and not a bot script. Limit and restrict access by geographic location. With some DDoS attacks, the majority of attack traffic may originate from one country or a specific region of the world. Blocking requests from undesirable countries can be a simple yet effective way to stop the vast majority of DDoS attack traffic.
STEP 4: DETECT AND STOP MALICIOUS REQUESTS
Since application DDoS attacks mimic regular Web application traffic, they can be difficult to detect through typical network DDoS techniques. But, by using a combination of application-level controls and anomaly detection, organisations can identify and stop malicious traffic.
MEASURES INCLUDE:
i. Detecting an excessive number of requests from a single source or user session automated attack sources always request web pages more frequently than standard users.
ii. Preventing known network and application DDoS attacks because most types of DDoS attacks rely on simple network techniques like fragmented packets, spoofing, or not completing TCP handshakes. More advanced attacks, typically application-level attacks, attempt to overwhelm server resources.hese attacks can be detected through unusual user activity and known application attack signatures.
- Source : Cybershield magazine.
No comments:
Post a Comment